From 475149da1ad2d86e6ba293460def51bf56caf517 Mon Sep 17 00:00:00 2001
From: thomashaw <thomashaw@gmail.com>
Date: Wed, 23 Feb 2022 15:07:07 +0000
Subject: [PATCH] updated rule generation + left comment in for testing. (2/?)

---
 lib/helpers/rules.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/helpers/rules.rb b/lib/helpers/rules.rb
index 570b69d59..715453e69 100644
--- a/lib/helpers/rules.rb
+++ b/lib/helpers/rules.rb
@@ -79,7 +79,7 @@ class Rules
         "      query_string:\n" +
         # on box as:
                 # query: "user.name: 'crackme' AND event.module: 'auditd' AND event.outcome: 'success' AND event.category: 'authentication'"
-        '        query: \"user.name: \"' + goal['account_name'] +'\' AND event.module: auditd AND event.category: authentication AND event.outcome: success\"' + "\n" +
+        '        query: "user.name: \'' + goal['account_name'] +'\' AND event.module: \'auditd\' AND event.category: \'authentication\' AND event.outcome: \'success"' + "\n" +
         "alert:\n" +
         "  - \"elastalert.modules.alerter.exec.ExecAlerter\"\n" +
         "command: [\"/usr/bin/ruby\", \"/opt/alert_actioner/alert_router.rb\"]\n" +